Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webilia Inc. Listdom allows Blind SQL Injection.

This issue affects Listdom: from n/a through 5.4.0.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of special elements used in an SQL command that allows a blind SQL injection attack against the WordPress Listdom plugin. An attacker could manipulate the SQL query that the plugin constructs, retrieving, modifying, or deleting database contents. Because the injection is blind, an attacker may not see immediate error messages but can infer information through timing or error-based responses, enabling data exfiltration or full database compromise.

Affected Systems

Webilia Inc. provides the Listdom WordPress plugin, versions up to and including 5.4.0 are affected. Any installation of Listdom 5.4.0 or earlier is vulnerable; the official remedy is to update to version 5.5.0 or newer.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. The EPSS score is not available, so no quantified exploitation probability is published, but the lack of KEV listing suggests no publicly known exploitation yet. The likely attack vector is through a public WordPress site that hosts the plugin, where an attacker may send malicious input to the plugin’s HTTP endpoints. Based on the description, it is inferred that the exploitation requires sending crafted requests containing special characters that are not properly escaped, possibly from an authenticated or unauthenticated context, and relies on the plugin’s blind query execution.

Generated by OpenCVE AI on June 18, 2026 at 11:42 UTC.

Remediation

Vendor Solution

Update the WordPress Listdom Plugin to the latest available version (at least 5.5.0).


OpenCVE Recommended Actions

  • Update the Listdom WordPress plugin to version 5.5.0 or later as supplied by Webilia.
  • If an immediate update is not possible, block or restrict access to the plugin’s vulnerable endpoints using a web application firewall or similar rules to mitigate blind SQL injection attempts.
  • Audit database activity for anomalous queries and rotate database credentials if any suspicious activity is detected.

Generated by OpenCVE AI on June 18, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Webilia Inc.
Webilia Inc. listdom
Wordpress
Wordpress wordpress
Vendors & Products Webilia Inc.
Webilia Inc. listdom
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webilia Inc. Listdom allows Blind SQL Injection. This issue affects Listdom: from n/a through 5.4.0.
Title WordPress Listdom plugin <= 5.4.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Webilia Inc. Listdom
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:00:19.857Z

Reserved: 2026-06-16T09:21:46.612Z

Link: CVE-2026-54819

cve-icon Vulnrichment

Updated: 2026-06-17T14:00:14.636Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:37Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')